Proposed Patch - LDAPS support for servers on port 636 w/o TLS

From: stephen layland <steve(at)68k(dot)org>
To: Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Proposed Patch - LDAPS support for servers on port 636 w/o TLS
Date: 2008-04-26 01:02:40
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Hey Postgres Hackers,

this is my first time here, so... hi!

I've written a quick patch against the head branch (8.4DEV, but it also
works with 8.1.3 sources) to fix LDAP authentication support to
work with LDAPS servers that do not need start TLS. I'd be interested
to hear your opinions on this.

Quick overview:

The OpenLDAP recommended LDAPS configuration (as of OpenLDAP
2.4?) is to have a regular (unencrypted) LDAP server listening
on standard port 389. Encryption will begin when the client
issues a STARTTLS request ala SMTPS.

Some older LDAP servers may not support TLS and instead have the
SSL enabled ldap server listening on the ldaps port (usually

While I agree it's probably not worth it to support older
'unrecommended' setups, many organizations are slow on the
uptake of recommended practices (mine is one of them :) ).
Allowing PostgreSQL to work with these organization's setups out
of the box helps us pitch the db to organizations easier,
especially those possibly overly paranoid about security.

My solution was to create a boolean config variable called
ldap_use_start_tls which the user can toggle whether or not
start tls is necessary. The default is to use start tls and
the recommended configuration. I also updated the documentation
and cleaned up the prefix/suffix/basedn interface so it's a bit
more intuitive to the user (i.e. - the basedn setting is
actually used, what they do are explained in the docs, etc.)
Some people actually found that using an auth uri of:


worked. I think a more intuitive form would be:


though this can be debated.

If any of you are interested in this, feel free to check out the patch
located here:

Please note that this patch does not implement ldaps for Albe Laurenz'
code that allows config to pull from LDAP via pg_service.conf, though it
should be easy to do.

I have tested this patch on the following configurations:

Client OS: RHEL4
Postgres 8.1.3 sources
Postgres 8.4DEV (cvs HEAD branch as of Apr 24)
libldap client:
OpenLDAP version 2.2.12 (latest for RHEL4 subscriptions)
OpenLDAP version 2.3.39 (stable)
libldap server:
OpenLDAP slapd version 2.2.x? on CentOS 4 or 5. (<-- no access)

Thanks a bunch,

-Steve (rockpunk @ #postgresql)

// ste\/e || 0x158f7a45 //
live now. die later.


Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2008-04-26 01:34:13 Re: Tech details - psql wraps at window width
Previous Message Jacques Caron 2008-04-25 23:27:45 FSM fill ratio